lock down sshd on aristotle

boxes/aristotle/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ../../lappy-config
     ./paperless.nix
+    ./sshd.nix
     ./agenix.nix
     ./hardware-configuration.nix
   ];
@@ -101,6 +102,7 @@
     ledger
     gnuplot
     anki-bin
+    x11vnc
 
     # for the remote access functionality
     vscode-fhs
@@ -133,9 +135,5 @@
     wantedBy = []; # start only when I say so
   };
 
-  # make sshd a `systemctl start sshd` command away
-  services.openssh.enable = true;
-  systemd.services.sshd.wantedBy = lib.mkForce [];
-
   system.stateVersion = "24.05";
 }

boxes/aristotle/sshd.nix

@@ -0,0 +1,27 @@
+{ lib, machines, ... }:
+{
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+    listenAddresses = [
+      {
+        addr = "0.0.0.0";
+        port = 2222;
+      }
+    ];
+  };
+
+  users.users.usr.openssh.authorizedKeys.keys = with machines; [
+    copernicus.pubkey
+    aristotle.pubkey
+    phone.pubkey
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+
+  # don't start the sshd immediately
+  systemd.services.sshd.wantedBy = lib.mkForce [];
+}

config/ssh/config

@@ -1,30 +1,18 @@
-Host mainsail
-	User usr
-	Port 22
-
-Host phone
-	User u0_a193
-	Port 8022
-
 Host netbox
 	HostName beepboop.systems
 	User ryan
 	Port 443
 
-Host mainsail-prox
-	HostName localhost
-	User usr
-	Port 55554
-	ProxyJump netbox
-
-Host mlg-prox
-	HostName localhost
+Host copernicus-proxy
+	HostName 10.100.0.2
 	User usr
 	Port 2222
-	ProxyJump mainsail-prox
+	ProxyJump netbox
 
-Host x230t-prox
-	HostName x230t
+Host copernicus
 	User usr
-	Port 22
-	ProxyJump mainsail-prox
+	Port 2222
+
+Host aristotle
+	User usr
+	Port 2222

lappy-config/ssh/config

@@ -12,3 +12,7 @@ Host copernicus-proxy
 Host copernicus
 	User usr
 	Port 2222
+
+Host aristotle
+	User usr
+	Port 2222